In the previous post in the ‘things you should know’ series I discussed Wireless Hacking basics. It’s recommended that you go through it before starting this tutorial.
Pre-requisites
You should know (all this is covered in Wireless Hacking basics)-
- What are the different flavors of wireless networks you’ll encounter and how difficult it is to hack each of them.
- What are hidden networks, and whether they offer a real challenge to a hacker.
- Have a very rough idea how each of the various ‘flavors’ of wireless networks is actually hacked.
Post-reading
You will know –
- Know even more about different flavors of wireless networks.
- How to go about hacking any given wireless network.
- Common tools and attacks that are used in wireless hacking.
The last two points would be covered in detail in the coming posts.
A rough idea about the cryptographic aspects of the attacks, the vulnerabilities and the exploits.
A rough idea about the cryptographic aspects of each ‘flavor’ of wireless network security.
Pirates of the Caribbean
Suppose you are in ship manufacturing business.
These are times when pirates were rampaging the seas. You observed how the
merchant ships are all floating unguarded in the seas, and the pirate industry is
booming because of easy targets. You decide to create fortified ships,
which can defend themselves against the pirates. For this, you use an alloy
X. Your idea was appreciated by merchants and everyone started using your ships….
 |
| The most iconic pirates of modern times |
Unfortunately, your happiness was short lived. Soon, the pirates found out flaws in
your ships and any pirate who knew what he was doing could easily get
past your ship’s defense mechanisms. For a while you tried to fix the
known weaknesses in the ship, but soon realized that there were too many
problems, and that the very design of the ship was flawed.
You knew what flaws the pirates were exploiting, and could build a new and stronger ship. However, the merchants weren’t willing to pay for new ships. You
then found out that by remodeling some parts of the ship in a very
cost efficient way, you could make the ship’s security almost
impenetrable. In the coming years, some pirates found a few structural
weaknesses in alloy X, and some issues with the core design of the ship (remnant weaknesses of the original ship). However,
these weaknesses were rare and your customers were overall happy.
After
some time you decided to roll out an altogether new model of the ship. This time,
you used a stronger allow, Y. Also, you knew all the flaws in the
previous versions of the ship, and didn’t make any errors in the design
this time. Finally, you had a ship which could withstand constant
bombardment for months on end, without collapsing. There was still scope
for human error, as the sailors can sometimes be careless, but other
than that, it was an invincible ship.
WEP, WPA and WPA-2
WEP is the flawed ship in the above discussion. The aim of Wireless Alliance was to write an algorithm to make wireless network (WLAN) as secure as wired networks (LAN). This is why the protocol was called Wired Equivalent Privacy (privacy equivalent to the one expected in a traditional wired network). Unfortunately, while in theory the idea behind WEP sounded bullet-proof, the actual implementation was very flawed. The main problems were static keys and weak IVs. For a while attempts were made to fix the problems, but nothing worked well enough(WEP2, WEPplus, etc. were made but all failed).
WPA was a new WLAN standard which was compatible with devices using WEP encryption. It fixed pretty much all the flaws in WEP encryption, but the limitation of having to work with old hardware meant that some remnants of the WEPs problems would still continue to haunt WPA. Overall, however, WPA was quite secure. In the above story, this is the remodeled ship.
WPA-2 is the latest and most robust security algorithm for wireless networks. It wasn’t backwards compatible with many devices, but these days all the new devices support WPA-2. This is the invincible ship, the new model with a stronger alloy.
But wait…
In last tutorial I assumed WPA and WPA-2 are the same thing. In this
one, I’m telling you they are quite different. What’s the matter?
Well actually, the two standards are indeed quite different. However, while it’s true there are some remnant flaws in WPA that are absent in WPA-2, from a hacker’s perspective, the technique to hack the two networks is often the same. Why?
- Very few tools exist which carry out the attacks against WPA networks properly (the absence of proof-of-concept scripts means that you have to do everything from scratch, which most people can’t).
- All these attacks work only under certain conditions (key renewal period must be large, QoS must be enabled, etc.)
Because of these reasons, despite WPA being a little less secure than WPA-2, most
of the time, a hacker has to use brute-force/dictionary attack and other
methods that he would use against WPA-2, practically making WPA and
WPA-2 the same thing from his perspective.
PS: There’s more to the WPA/WPA-2 story than what I’ve captured here. Actually WPA or WPA-2 are ambiguous descriptions, and the actual intricacy (PSK, CCMP, TKIP, X/EAP, AES w.r.t. cipher used and authentication used) would required further diving into personal and enterprise versions of WPA as well as WPA-2.
How to Hack
Now that you know the basics of all these network, let’s get to how actually these networks are hacked. I will only name the attacks, further details would be provided in coming tutorials-
WEP
 |
| The Initialization vector v passed to the RC4 cipher is the weakness of WEP |
Most of the attacks rely on
(initialization vectors). Basically, if you collect enough of them, you will get the password.
- Passive method
- If you don’t want to leave behind any footprints, then passive method is the way to go. In this, you simply listen to the channel on which the network is on, and capture the data packets (airodump-ng). These packets will give you IVs, and with enough of these, you can crack the network (aircrack-ng). I already have a tutorial on this method, which you can read here – Hack WEP using aircrack-ng suite.
- Active methods
- ARP request replay – The above method can be incredibly slow, since you need a lot of packets (there’s no way to say how many, it can literally be anything due the nature of the attack. However, usually the number of packets required ends up in 5 digits). Getting these many packets can be time consuming. However, there are many ways to fasten up the process. The basic idea is to initiate some sort of conversation in the network, and then capture the packets that arise as a result of the conversation. The problem is, not all packets have IVs. So, without having the password to the AP, you have to make it generate packets with IVs. One of the best ways to do this is by requesting ARP packets (which have IVs and can be generated easily once you have captured at least one ARP packet). This attack is called ARP replay attack. We have a tutorial for this attack as well, ARP request replay attack.
- Chopchop attack
- Fragmentation attack
- Caffe Latte attack
I’ll cover all these attacks in detail separately (I really can’t sumarrize the bottom three). Let’s move to WPA-
WPA-2 (and WPA)
There are no vulnerabilities here that you can easily exploit. The only two options we have are to guess the password or to fool a user into giving us the password.
- Guess the password – For guessing something, you need two things : Guesses (duh) and validation. Basically, you need to be able to make a lot of guess, and also be able to verify if they are correct or not. The naive way would be to enter the guesses into the password field that your OS provides when connecting to the wifi. That would be slow, since you’d have to do it manually. Even if you write a script for that, it would take time since you have to communicate with the AP for every guess(that too multiple times for each guess). Basically, validation by asking the AP every time is slow. So, is there a way to check the correctness of our password without asking the AP? Yes, but only if you have a 4-way handshake. Basically, you need the capture the series of packets transmitted when a valid client connects to the AP. If you have these packets (the 4-way handshake), then you can validate your password against it. More details on this later, but I hope the abstract idea is clear. There are a few different ways of guessing the password :-
- Bruteforce – Tries all possible passwords. It is guaranteed that this will work, given sufficient time. However, even for alphanumeric passwords of length 8, bruteforce takes incredibly long. This method might be useful if the password is short and you know that it’s composed only of numbers.
- Wordlist/Dictionary – In this attack, there’s a list of words which are possible candidates to be the password. These word list files contains english words, combinations of words, misspelling of words, and so on. There are some huge wordlists which are many GBs in size, and many networks can be cracked using them. However, there’s no guarantee that the network you are trying to crack would have it’s password in the list. These attacks get completed within a reasonable timeframe.
- Rainbow table – The validation process against the 4-way handshake that I mentioned earlier involves hashing of the plaintext password which is then compared with the hash in handshake. However, hashing (WPA uses PBKDF2) is a CPU intensive task and is the limiting factor in the speed at which you can test keys (this is the reason why there are so many tools which use GPU instead of CPU to speed up cracking). Now, a possible solution to this is that the person who created the wordlist/dictionary that we are using can also convert the plaintext passwords into hashes so that they can be checked directly. Unfortunately, WPA-2 uses a salt while hashing, which means that two networks with the same password can have different hashing if they use different salts. How does WPA-2 choose the salt? It uses the network’s name (SSID) as the salt. So two networks with the same SSID and the same password would have the same salt. So, now the guy who made the wordlist has to create separate hashes for all possible SSID’s. Practically, what happens is that hashes are generated for the most common SSID’s (the default one when a router is purchases like -linksys, netgear, belkin, etc.). If the target network has one of those SSID’s then the cracking time is reduced significantly by using the precomputed hashes. This precomputed table of hashes is called rainbow table. Note that these tables would be significantly larger than the wordlists tables. So, while we saved ourselves some time while cracking the password, we had to use a much larger file (some are 100s of GBs) instead of a smaller one. This is referred to as time-memory tradeoff. This page has rainbow tables for 1000 most common SSIDs.
- Fool a user into giving you the password – Basically this just a combination of Man in the middle attacks and social engineering attacks. More specifically, it is a combination of evil twin and phishing. In this attack, you first force a client to disconnect from the original WPA-2 network, then force him to connect to a fake open network that you create, and then send him a login page in his browser where you ask him to enter the password of the network. You might be wondering, why do we need to keep the network open and then ask for the password in the browser (can’t we just create a WPA-2 network and let the user give us the password directly). The answer to this lies in the fact that WPA-2 performs mutual authentication during the 4-way handshake. Basically, the client verifies that the AP is legit, and knows the password, and the AP verifies that the client is legit and knows the password (throughout the process, the password is never sent in plaintext). We just don’t have the information necessary enough to complete the 4-way handshake.
- Bonus : WPS vulnerability and reaver [I have covered it in detail seperately so not explaining it again (I’m only human, and a very lazy one too)]
 |
| The WPA-2 4 way handshake procedure. Both AP and the client authenticate each other |
Tools (Kali)
In this section I’ll name some common tools in the wireless hacking category which come preintalled in Kali, along with the purpose they are used for.
- Capture packets
- airodump-ng
- wireshark (really versatile tool, there are books just covering this tool for packet analysis)
- Crack handshakes
- aircrack-ng (can crack handshakes as well as WEP)
- hashcat (GPU cracking)
- cowpatty
- WPS
- reaver
- pixiewps (performs the “pixie dust attack”)
- Cool tools
- aireplay-ng (WEP mostly)
- mdk3 (cool stuff)
- Automation
- wifite
- fluxion (actually it isn’t a common script at all, but since I wrote a tutorial on it, I’m linking it)
You can find more details about all the tools installed on
.
Okay guys, this is all that I had planned for this tutorial. I hope you learnt a lot of stuff. Will delve into further depths in coming tutorials.
